版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Accelerateyourjourneytozerotrustwithzerotrustorchestration
Howtoorchestratesecure,reducedfrictionuser
journeyswithinaZeroTrustFramework
Customer-facingapplications
Forexample:
•Onlineretailwebsites
•Onlineandmobilebankingapps
•Customerportals
•Customersareexposedtoaccounttakeoversandidentitytheft
•Fraudandscamsleadtofinanciallossesandreputationaldamage
•Databreachesresultin
dataprivacyviolationsandregulatorypenalties
•Ransomwareattacksposeanexistentialthreatto
businessoperations
•Riskofintrusionanddatatheftbyhackersandfraudsters
•Potentialabuseofresourcesbyemployees
•Overlypermissionedusersdisruptsystems,eitherbyaccidentorbyintent.
Employee-facingapplications
Forexample:
•HRportals
•Filesystems
•Line-of-businessapps
INTRODUCTION
Cloudcomputingandinterconnectivityhave
changedITsecurityforever.Intheolddays,whenallyourserverslivedinyourowndatacentre
andeveryoneconnecteddirectlywithinyour
corporatenetwork,orviaVPN,youcouldrely
onyourcorporatefirewallasafixedperimeter
securitycontrol.Today,youremployees,partnersandcustomers—aswellasconnecteddevices
fromtheInternetofThings—couldbelogginginfromanylocation,viaanynetwork,toservices
hostedanywhere.
Keepingyourbusinesssafeinthesecomplex
hybrid,multi-cloud,hyper-connectedandhighly-
collaborativelandscapesisfarmorechallenging.
OrganisationsareincreasinglyrecognisingthattheonlywaytostaysecureinthisworldwhileprovidingafrictionlessuserexperienceisthroughaZero
Trustsecurityapproach,whichreplacesrelianceonlegacynetworksecuritycontrolswithanapproachwhereeveryaccessrequestisassessedonarich
contextualbasis.ThisZeroTrustArchitecturebecomesthenewperimeter.
ZeroTrustisnolongerjustabuzzword—it’snow
mandatedorrecommendedbygovernments
andindustrybodiesaroundtheworld.However,
weseethatasuccessfuladoptionofZeroTrust
principlessuchasthosedefinedinNIST-SP800-207
requirestheorchestrationofmultipleelements
thatcombinetoprovidepolicy-basedcontrolsthat
workacrossuserjourneysandchannels.Theseuser
journeysofteninvolvebothlegacyandmodern
systemsandservicesthatneedtoworktogether
seamlessly—andmanagingtheseinteractions
introducesnewproblems.
Thispaperexploresbestpracticesfororchestrating
theseinteroperatingelementsaspartofa
comprehensiveZeroTrustframework,addressing
thefollowingkeyquestions:
•WhatarethemarketchallengesthataredrivingorganisationstoimplementZeroTrust?
•WhatisaZeroTrustOrchestrationlayer,andwhyisitrequired?
•WheredoesanOrchestrationlayerdeliverthegreatestbenefits?
•HowareCapgeminiandPingIdentityhelpingorganisationsadoptZeroTrustOrchestration?
MARKETCHALLENGES
DRIVINGZEROTRUST
Wenowliveinaworldwhereemployeesexpecttobeabletoworkfromanywhereandlogintocorporateandpartnersystemsviaanydevice
onanyavailablenetworkconnection.The
challengefororganisationsistoopenupmorestreamlined,user-friendlyaccessforemployeesinthismodernenvironment,whilemaintaining
appropriatelevelsofsecuritytoprotectagainstincreasinglysophisticatedcyberthreats.
Meanwhile,customers(andregulators)are
increasinglyconcernedaboutdataprivacyand
theriskofidentitytheft,fraudandscams.
Customer-facingsystemswhichhavetraditionallybeendesignedtomaximiseuserconvenience
inasiloedwaymustnowfindwaystobolstersecurityandprotectcustomerdata,while
simultaneouslyimprovingtheuserexperience.
SecurityrisksUserexperiencerisks
•Complexregistrationprocess
discouragenewcustomersfromsigningup
•Difficultyloggingin
increasesriskofshoppingcartabandonment
•Personaldatausedinauthenticationraisesprivacyconcerns
•MutlipleloginsandlackofSSOresultinemployeeslockingthemselvesout
oftheirapplications,impactingproductivity
•Frequentlyre-enteringuserIDs,passwordsandOTPscreates
friction
Table1:DriversforZeroTrust
Balancingthecompetingdemandsofsecurityanduserexperienceforcustomersandemployeeshasbecomeincreasinglychallengingduetothelevelsofconnectivityandflexibilityrequiredbymodernuserjourneys.Aroutineuserjourney—suchas
acustomerorderingaproductoranemployee
creatingapurchaserequisition—nowoften
involvesinteractionsbetweendozensofservices,
fromlegacysystemshostedinthecompany’s
datacentretomicroservicesandthird-partySaaSapplicationsrunningacrossmultipleclouds.A
keydriverforaZeroTrustapproachisthatitcan
provideasolutiontothisdemandforbothsecurityanduserexperienceintoday’sopenenvironments,bytakingintoaccountthebroaderriskandcontextofthespecificaccessatanypointintime.
2|ZeroTrustOrchestration
ZeroTrustOrchestration|3
IDENTITY
DEVICES
NETWORKS
APPLICATION&
WORKLOADS
DATA
THEROLEOF
ZEROTRUST
ORCHESTRATION
AZeroTrustOrchestrationservicewithinaZero
TrustArchitectureprovidesapolicyandintegrationlayercapableofconnectingidentityelementsfrommanysystems,providingasinglepointofcontrol.
AnOrchestrationservicecancapturesignalsfromyourunderlyingapplicationsandinfrastructure
andpassthemtoacentralpolicyenginethat
drivessmart,real-timedecision-makingduring
complexuserjourneys.Andbest-practice
Orchestrationsolutions,suchasPingOneDaVinci,empoweryoutomapouttheseuserjourneysasseamlessflows,whiledefiningtheauthentication
andauthorisationrequirementsforeach
resourcebasedonappropriateriskmetrics.
AZeroTrustOrchestrationservicemakesitpossibletoimplementZeroTrustprinciples
quickly,effectively,andcost-efficiently—soyou
candesign,deployandevolveyouruserjourneys
seamlesslyinresponsetoemergingbusinessneeds.
VISIBILITYandANALYTICS
AUTOMATIONandORCHESTRATION
GOVERNANCE
WHYDOWENEED
ZEROTRUST
ORCHESTRATION?
Asdescribedabove,aZeroTrustapproachis
becomingtheonlyviablesolutionforeffectivelyprovidingaccessintheseextendedITecosystems.
However,implementingandmanaginga
comprehensiveZeroTrustframeworkcanbecomplex.
ThefundamentalprincipleoftheZeroTrustmodelisbasedontheassumptionofabreachandentailsameticulousexaminationofeachrequestasifit
wereoriginatingfromanentirelyuntrustedsource,suchastheunrestrictedinternet.Regardlessof
theoriginortheresourcebeingaccessed,theZeroTrustapproachmandatesa“nevertrust,always
verify”methodology.
Eachrequestmustprovidesufficientevidenceof
itslegitimacyasoriginatingfromanauthorized
userorapplication.Everyaccessrequestundergoescomprehensiveauthentication,authorization,
andencryptionbeforeandduringthesession.
Additionally,thelevelofverificationdeemed
“sufficient”mayvarydynamicallybasedoncontext,necessitatingadditionalsecuritymeasuresand/oraccessprivilegestobemodified.
EstablishingthecontextforZeroTrustverificationrequirestheorganisationtogatherinformation
fromanumberofdifferentsourceswhichare
potentiallyinterpretedbymutiplepolicyengines(or“signals”).AsZeroTrustimplementationsbecome
moresophisticatedandthenumberandtypeof
signalsincrease,aZeroTrustOrchestrationlayer
becomesvitaltointegratetheinformationfromall
thesesignals,makedynamicdecisionsonwhethertheaccessrequestalignswithsecuritypolicies,andtriggeranappropriateresponsefromthesecurity
toolingthatenforcesaccesscontrolacrossthe
technologystack.Itisthisabilitytotakesignals,
makesmartaccesscontroldecisionsbasedonthosesignalsandthenorchestratetheenforcementof
policythroughoutthetechnologystackthatformsthecoreofthetechnologyimplementationelementofaZeroTrustprogramme.
Figure2:ZeroTrustMaturityModelPillars,CISA
ZeroTrustMaturityModel,Version2.0,April2023.CISAdefineAutomationandOrchestrationasa
foundationalcross-cuttingcapabilityforZeroTrustArchitectures
4|ZeroTrustOrchestration
ZeroTrustOrchestration|5
Results
Accessdecisionsbasedonfully
orchestratedpoliciesactingon
comprehensivebest-of-breed
risksignals
ManagededgeZeroTrust
use-caseswiththebestvendors
forthetask
Deny
Approve
Policy-drivenOrchestration
Challenge
Obfuscate
ivani
Decisioning
Enforcement
6|ZeroTrustOrchestration
ZEROTRUST
ORCHESTRATION
USECASES
WenowseeZeroTrustOrchestrationasa
fundamentalcomponentwithinanyZeroTrustArchitecture.SomeusecaseswhereZeroTrustOrchestrationisparticularlybeneficialinclude:
Providingadaptivetrust
incomplexheterogeneous
environments
ZeroTrustOrchestrationcanhelpyougatherrisksignalsfromrightacrossyournetwork,including
variousriskandpolicyengines,andwidersecuritytoolingtofeedthemintoacentralOrchestrationpolicyenginethatcandeny,approve,logor
requestadditionalauthenticationforaccess
requestsatallrelevantstagesinyouruser
journeys.Moreover,aZeroTrustOrchestration
servicecanthenenableautomatedriskmitigationsbeyondAccessManagementsuchasfirewall
anddevicepatching,orremovalofaccessrightsthroughIGAintegration,proactivelypreventingincidentsandsavingtimeforyoursecurityteam.
Industry-leadingsolutionssuchasPingOne
DaVincialloworganisationstostreamlineand
simplifythisprocessbyincludingintegration
connectorstosecuritytoolslikeCrowdStrike,
OPSWAT,Splunk,InTune,JAMF,PingOneProtectandhundredsmore,alloutofthebox.
Providingadaptivetrustincomplexheterogeneousenvironments
DeviceUpdate
Available
SuspiciousOriginatingIPAddress
Suspicious
BrowserHistory
DeviceVulnerabilityDetected
Best-of-breedrisksignalsfrom
multiplevendorsources
Figure3:Feedbest-of-breedrisksignalsintoyourorchestrationpolicyengine
toensureappropriatedecisioning,enforcement,andremediation.
Rapiddevelopment
andintegration
Best-practiceZeroTrustOrchestrationservices
makeiteasytodevelopanddeploynewuser
journeysbyseamlesslyintegratingnewservicesandcomponentsintoauthenticationandauthorisationflows.Withalow-code,drag-and-dropinterface,
youcanquicklyextendyourZeroTrustlandscapetosecureadditionalsystemsandresources,andeasilyintroducenewidentity,securityandrisk
servicestogainevenrichercontexttoinformyourauthenticationandauthorisationpolicies.
Userjourneyoptimisation
ZeroTrustOrchestrationnotonlycreatesaunifiedpointofcontrolforyourZeroTrustarchitecture—
italsoprovidescentralisedvisibilityacross
youruserjourneys.ItenablesyoutointroducealternativeflowsandperformA/Btestingto
determineoptimalriskthresholds.Thisgives
theinsightneededtoaddorreducefriction
atappropriatestagesineachuserjourneyto
ensurepolicycomplianceandmaintainsecuritywhilealsodeliveringabetteruserexperience.
ZeroTrustOrchestration|7
Casestudy:Electricity
SystemsOperator
Capgeminihelpedamajornationalenergynetworkoperatorunifycustomerjourneysacrossavarietyofmodernandlegacyapplicationsformorethan
10,000userswithaZeroTrustsinglesign-on
(SSO)solution.UsingPingOneDaVinci,theteamorchestratedkeycustomerjourneysincluding
authentication,registration,socialloginand
self-service—simplifyingidentitymanagement,
strengtheningsecurity,improvinguserexperience,andsavingtimefortheITservicedesk.
Casestudy:PharmaceuticalCompany
Capgeminienabledalargemultinational
pharmaceuticalcompanytomoderniseitsdigitallandscapebycreatingaZeroTrustsecurity
frameworkformorethan20,000employeesacrossmorethan150globallocations.Thesolution
significantlyimprovestheuserexperienceandsimplifiesthetechnicalinfrastructure,aswellasoptimisingcapitalandoperationalexpenditureandstreamliningtheintegrationofnewmergersandacquisitions.
NEXTSTEPS
TolearnmoreabouthowCapgeminiandPingIdentitycanhelpyourorganisationembraceZeroTrustOrchestrationtoprovideyourcustomersandemployeeswithreducedfrictionuserexperiences,withoutcompromisingonsecurity,reachouttoustoday.
AUTHORS
AndrewCritchley
GlobalHeadofIAMCapability
Capgemini
Andrew.critchley@
RobOtto
FieldCTO/PrincipalSolutionsArchitect
PingIdentity
Robotto@
ZeroTrustOrchestration|9
TAKINGZEROTRUST
FROMTHEORY
TOPRACTICE
TomaketheshifttoaZeroTrustArchitecture,it
helpsifyoucancallontheexperts.CapgeminihasoneofthelargestIdentityandAccessManagement(IAM)practicesintheworld,withover1,000
consultantswhohavedeliveredmorethan200majorIAMprojectsinthelastfiveyearsalone.
Basedonitslong-establishedPingIdentitytrackrecordandnumberofcertifiedstaff,CapgeminiisalsoaPingDeliveryApprovedElitePartner.
AndCapgeminihasrecentlytransformedits
owninternalITsecuritymodeltoembraceZeroTrustprinciples,usingPingIdentityextensivelywithintheZeroTrustIdentitytowerandfor
IdentityOrchestration.
CapgeminiisnowprovidingIdentityandZeroTrustservicestoourclients,builtaroundfourkeypillars:
•Assess:measurethematurityofyour
organisation’sapproachtoimplementingZeroTrustinalignmentwiththeindustry-standardmaturitymodeldevelopedbyCISA.
•Advise:adviseonallelementsofZeroTrust,fromgovernance,operatingmodels,andprinciples
throughtoarchitectureanddesign–ZeroTrustisnotsimplyamatteroftechnology.
•Implement:workwithyoutoimplementsecureZeroTrustenvironments,governance,and
operationalservices.
•Operate:manageZeroTrusttechnologiesfromsecurelocationsacrosstheglobe,providingfullsecuritymonitoringandresponse24x7.
TogetherwithPingIdentity,CapgeminicanworkwithyoutohelpstartoraccelerateyourZeroTrustjourney–usingourknowledgeofallareasofZeroTrustincludingZeroTrustOrchestrationtomakethisareality.
8|ZeroTrustOrchestration
ZEROTRUST
ORCHESTRATION
SOLUTIONS–
PINGONEDAVINCI
HavingimplementedPingOneDaVinciwithmultiple
clients,CapgeminiseesPingOneDaVinciasabest-practicesolutionforZeroTrustOrchestration
inIdentity.AparticularstrongpointofPingOne
DaVinciisthatithasallowedustobuildidentityflowsusingitshighlyvisual,drag-and-drop
interface,withoutneedingtowriteasinglelineofcode.Thissimplifiesandacceleratestheprocessofcreating,updating,testinganddeployinguserjourneysthatoptimisesecuritywhileminimisingfrictionforend-users.
Furthermore,PingOneDaVinciiscompletely
vendor-agnosticandintegrateseasilywiththird-partyservices.ThismakesitparticularlysuitablefororganisationsthatwanttobuildaZeroTrustOrchestrationlayerontopoftheirexistinglegacyidentity
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 六年级上册数学期末测试卷含完整答案(夺冠系列)
- 人音版音乐七年级下册 5.1.1演唱 无锡景 教案
- 六年级下册数学期末考试真题-选择题50道带答案【轻巧夺冠】
- 反比例(教学设计)-2023-2024学年六年级下册数学人教版
- 冀教版五年级下册数学第六单元-分数除法-测试卷及参考答案(典型题)
- 2024学年中职生同心协力抵制一切校园欺凌行为班会教学设计
- 人教版七年级音乐上册 走绛州 教学设计
- 青岛版数学四年级上册期末测试卷附解析答案
- 一年级上学期数学基础知识《填空题》专项练习及完整答案(必刷)
- 六年级下册数学期末测试卷带答案(巩固)
- 山西省建筑工程质量标准化图册
- 山东省菏泽市牡丹区2023-2024学年八年级物理第二学期期末经典试题及答案解析
- 科学(浙江卷)2024年中考考前押题密卷(全解全析)
- 2024-2034年中国二环己胺行业市场现状分析及竞争格局与投资发展研究报告
- 征集和招录人员政治考核表
- 高中足球大单元教学设计实施路径
- 新生儿转运管理和护理
- 2024机械工程师资格考试试题及答案
- 2024年高考语文阅读之孙犁小说专练(原卷版)
- MOOC 中级财务会计-南京审计大学 中国大学慕课答案
- 医学心理学题库含答案
评论
0/150
提交评论